Germany's Federal Financial Supervisory Authority (BaFin) reported a significant increase in IT incidents affecting payment services in 2023, highlighting growing operational risks in the financial sector.

BaFin Reports Rise in IT Incidents Among Financial Firms in 2023

According to data released by BaFin, approximately 235 payment incidents were reported last year, marking a 17.5% rise from 2022. The majority of these incidents, 94.9%, were classified as operational, stemming from internal errors rather than external security breaches.

“From BaFin ’s point of view, IT risks are among the main risks for the financial sector,” the German regulator commented. “Cyber attacks in particular can have serious consequences for financial companies. Concentrations in the outsourcing of IT services increase this risk.”

The regulator's findings reveal that about 78% of incidents resulted from process and system failures, underscoring the importance of robust internal controls alongside strong cybersecurity Cybersecurity Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Cybersecurity is a blanket term that refers to the protection of computer systems and networks from the theft.More broadly speaking, cybersecurity can also represent countermeasures against damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.It was not long ago that the term cybersecurity not exist as it was first used in 1989. In today’s vernacular cybersecurity, refers to measures taken to protect a computer or computer Read this Term measures. Despite the overall increase in incidents, security-related events, such as cyber-attacks, accounted for only 5.1% of total reports.

BaFin's report also shed light on the impact of these incidents. In 2023, disruptions affected 7.12 million payment service users and impacted transactions totaling €52.74 billion. However, the authority noted that most incidents affected a relatively small number of users or transaction volumes, with a few severe cases skewing the averages.

The growing trend of IT outsourcing in the financial sector emerged as a key concern. Approximately 40% of reported payment incidents were attributed to service providers rather than the financial institutions themselves. This highlights the potential vulnerabilities created by concentration in IT service outsourcing.

E-banking and Mobile Banking Most Affected

Data from BaFin indicates that the sectors most impacted in the payment industry were e-banking and mobile banking services.

Many incidents were also recorded in the "others" category, which, as emphasized by the regulator, mainly pertained to delays in transaction processing. Regarding the affected functional areas, over 60% of incidents involved clearing and direct or indirect settlements of transactions.

“On average, an incident affected transactions with a volume of €224 million,” BaFin explained. “Half of all incidents even involved less than €14 million (median value). This shows that a few particularly serious incidents have a strong upward influence on the average value.”

DORA

Looking ahead, BaFin anticipates that the implementation of the Digital Operational Resilience Act (DORA) from January 17, 2025, will strengthen the sector's operational resilience. The new regulation Regulation Like any other industry with a high net worth, the financial services industry is tightly regulated to help curb illicit behavior and manipulation. Each asset class has its own set of protocols put in place to combat their respective forms of abuse.In the foreign exchange space, regulation is assumed by authorities in multiple jurisdictions, though ultimately lacking a binding international order. Who are the Industry’s Leading Regulators?Regulators such as the UK’s Financial Conduct Authority ( Like any other industry with a high net worth, the financial services industry is tightly regulated to help curb illicit behavior and manipulation. Each asset class has its own set of protocols put in place to combat their respective forms of abuse.In the foreign exchange space, regulation is assumed by authorities in multiple jurisdictions, though ultimately lacking a binding international order. Who are the Industry’s Leading Regulators?Regulators such as the UK’s Financial Conduct Authority ( Read this Term will extend reporting requirements for serious IT incidents across the entire financial sector and establish uniform standards for all financial companies.

“RA extends the reporting requirement for serious ICT incidents to the entire financial sector and defines uniform reporting requirements for all financial companies,” BaFin added.

The regulator expects that the expanded reporting under DORA will provide a more comprehensive view of incidents, enabling swifter responses to ensure financial stability.